Malware Analysis Report

2024-10-19 11:55

Sample ID 231004-1wn9fafc6z
Target e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.bin
SHA256 e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566

Threat Level: Known bad

The file e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus payload

Alienbot

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

android-x86-arm-20230831-en

Max time kernel

4239842s

Max time network

148s

Command Line

com.swift.wrap

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json N/A N/A
N/A /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.swift.wrap

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/x86/pFFJk.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.133.18:443 jsonplaceholder.typicode.com tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 eklimitonay.online udp

Files

/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 0219b6d26de9a569780bfc32d089ad79
SHA1 9fceddb0f5081cc5766c9d45960d7a1a15ff68fe
SHA256 61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9
SHA512 a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e

/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 3f3a4f6cd15e01e61d5661f8331c0a34
SHA1 51c652dac5a7e722e80abff83ee2be3f964d789d
SHA256 f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275
SHA512 f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8

/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 3eb1657245e2ca6c42bbeafacf31f02a
SHA1 b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA256 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 41e439e3c62b9885f1dbd5934dde2949
SHA1 73ded2dacfe908dc8ed08a3535d0111d712501a3
SHA256 5aae4163bcb5869a98f0fd358726b42076b58b30db4ee0e24951952a2ad8a6a0
SHA512 e5b47ba9910f9ab6ded461dfc33dabe65d7ee2b6cdfced599c6ca126a4786391492ef514435e567e522932fac27bb425f1a54b7ca9ba8e2933e7d6d1e490a9a2

/data/data/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof

MD5 b31f0f9fb507566ff3910a34e79f1911
SHA1 2b8b557514c2e70da52b84ddb9d44e1ffd0d9d6b
SHA256 49b5f8f9f4c677a27fbf697a74c3420f50d4b6bc0a593acd5d8e63e5622b7b5d
SHA512 13dc191c41c96872dad603a82726aaa8179bd62bb361cb184bb54f1600a4349b5bcc58e57aa8ad33ea227f7cf52eceee96c397238a4b6e8f994d156147ead04c

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

android-x64-20230831-en

Max time kernel

4239840s

Max time network

156s

Command Line

com.swift.wrap

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json N/A N/A

Processes

com.swift.wrap

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.133.18:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 eklimitonay.online udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp

Files

/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 0219b6d26de9a569780bfc32d089ad79
SHA1 9fceddb0f5081cc5766c9d45960d7a1a15ff68fe
SHA256 61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9
SHA512 a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e

/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 3f3a4f6cd15e01e61d5661f8331c0a34
SHA1 51c652dac5a7e722e80abff83ee2be3f964d789d
SHA256 f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275
SHA512 f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8

/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 3eb1657245e2ca6c42bbeafacf31f02a
SHA1 b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA256 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

/data/data/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof

MD5 7cde27ad64a58ae6c614a4c1c1e8bb0e
SHA1 ac34e8bd866ee9090da0b476bb216026e7a501fb
SHA256 ddd0101bc580f556e5e2bd6af10f96dad01ad5102680715ce63d1d00b8be12a3
SHA512 f933bcc4ec1f0264b852b7334a054499c94af6cc3fcb88b60f4d6471f688bcefad788e02b0f1407ce1c1c07fceb8353122475859ccd295947970450204e3702d

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

4239862s

Max time network

159s

Command Line

com.swift.wrap

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.swift.wrap

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.133.18:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.39.104:443 ssl.google-analytics.com tcp
NL 142.251.36.10:80 play.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 eklimitonay.online udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp

Files

/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 0219b6d26de9a569780bfc32d089ad79
SHA1 9fceddb0f5081cc5766c9d45960d7a1a15ff68fe
SHA256 61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9
SHA512 a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e

/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 3f3a4f6cd15e01e61d5661f8331c0a34
SHA1 51c652dac5a7e722e80abff83ee2be3f964d789d
SHA256 f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275
SHA512 f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8

/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

MD5 3eb1657245e2ca6c42bbeafacf31f02a
SHA1 b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA256 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof

MD5 c67c80ebf9e52f29ca0fa1f2bfc43335
SHA1 67e214f0393eb6481a4a53866c485ad67c6a3a2b
SHA256 e9f317073732d5dc4c0408e1d1a83af57f83bfcefc4df550704abee2cec4aa10
SHA512 51ee6d2cccf129ddd60b578ff7b02a1d15d527101dae11017f6fa031a3fba4934a1121672ab75a9cacf9a79b961dce1af81dc9fa354c688f4248bb8514c360a4

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win7-20230831-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

145s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win7-20230831-en

Max time kernel

136s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000004c0ec347028075f66e4d4b49a2aa4a509aafdb87b5042312093f188bc54a8a9e000000000e80000000020000200000001e59ee08eff19d7e108acfdb610eabe90b7638cc260e8e2d11dad7d4729fe1772000000021216f4266fb7dbec92df779c13249732fa9444699a652b5a476910edb53677940000000c3cb55205a1a9d575c0697291482a4c97c9a178f1cd12264d6f838449fa63a135ecd8c7b495548f51da0e53e434f066f10c3521a019fd6ece97799a3d5911a06 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000ee54f521c8ea3dd8fc0a541d79af417f6d0560a87b327f9838c775598dde7450000000000e800000000200002000000072c1833b927177051984837a95cb3b18d74aa49f841220b39fe84cf6c31c4b109000000027559c6dd75e4cd0002f93436ca46b2255604a8ad1ff11f59f29245c4066bdcfe99f82afddb6005646ac42604b026511a7424d685dfe2761efa936560b430e3074f6b6516b1dc06da2f8b2ad6d29c4ace8fbf2eb635b2fb2eddf3c24969fd6e53854d8cdaa22dccfb9b35141de3db64ae61afa380ea74bdaaf06da12ade47b90b230f697a28381fd6c7b6c7511e2937140000000dcab4c619547cfe6442b53270ca4779af18e893ff9e1eded92178d7b5eb9589ef489a57299bfeb42a55e0b24fa1498f9ec96d1abe39095f04dd553217412ea35 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618685" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66716A51-6301-11EE-8E84-7200988DF339} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e030f03b0ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5386c5cd42fcc012a1c21a1b45e489e0
SHA1 e9e5bdcd283a775a3c64a812429961475d889763
SHA256 79498ea2a48f33e2e0a37780d76f9f45340e962928b80e053fd3ea1c7c18bb3e
SHA512 d205dca5e39e7e4a70695a7a6f6121bf4d54732eff8a2207db0dc7a2583b541e448d973682a72ba787382624a791fd7a796daf19aa0d732d8385d5e21fc04144

C:\Users\Admin\AppData\Local\Temp\Cab5C54.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5C57.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c47f4b8a77a50516ffa1daf111a757fa
SHA1 c821c4251304c31fe84d24ceb2c9d8a4e4fab10b
SHA256 1c2b27b341355cef55f4d2c72e580f3f9d91b9df4be29ce525cfbb2a00ab8abe
SHA512 c221b8c2de78f292ef7cdae4fdc12e4e17090de41264fba966ff425c21b1afbe700693eebea57ef5599fdff8de4a166a74301316013bd9e0281e296b0c02a080

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64ed01a314394a2f4c1ca94f3995a468
SHA1 17296cbb9c6f1e94412f830727e983598975c634
SHA256 9e81d35e1e0a4d4db372de8928c338ba0e145083c2454aa5686e57384de4df17
SHA512 89e0c4572d1a091ad47e1d2384a25f93d872342739b8ad08fbba40e7da9f64758c5bc6d52e2eec8833f64ebb97b1a3eb6ff5f1ae2826cafd1029526111110027

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 698ae35b5fcecc3e7e29023d24e79698
SHA1 2f0c7198c21f2caf36793d84a53848b5d0f835b8
SHA256 a390d07201c589354b654c052ebe9be307705b2bf424040aedc9c957b9a79b08
SHA512 846cf037b10bed875871bb4fc3e6b767b5ee37c80887d9b7be50788cfe3d03f0c3fb0b962184e967ebda065bb16daf60ea7a9bdcc7cded4c8753e57259909fb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98ec963e8721decf13fc3e3fb6f2d289
SHA1 2ac417fb3d5f7c942587c98fd052a0606022593d
SHA256 42a373115f467c9c2476d4fd738c348559cfdc6befe218e71688535b8df80a63
SHA512 bcbe1ce54ccff82ea0e6744d0d7674d0990de0d40d2c13c7562f48b744e76421a5c66f960580dede046172b6cdb9513e770fabed222f60801699dbeb707be232

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0878a87771d7596b23bbf7fdf4658bc
SHA1 6ecba3c790d9ef4e36cd9c8a2e118f9ad2e35fda
SHA256 93bce75330dbc39d20375097d5a21f2fded1fecaced0319de2e229f0fc0e9722
SHA512 9bd3791288a56008bdcb9dea5576934666f730d0f00b5e955b804b17bf3eadcc597d2f973069cc1c50b3f56838b1bef0f4eee630ff0cd45975177eaf8ffa6c66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb7dcb6f8c42153cbe0e78ff7e8b7cd5
SHA1 283e3f833ec986a9851b1363bf0f9b645f79fd07
SHA256 96e961d0edd32a6a6c3e910933f479ac8fc6ecc7372140d68d344958d87faf21
SHA512 8b8d972dd57d6673e9bdba500528f3825a96e3e212ad2c477af49c573094b72e112dffe81b93f0845118c43c4e708446d2d15aa1c1119b874c54f27e0501fd96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96c7faa8aece785d8be75ac4802f6af2
SHA1 339796f90aaefcbcc0a59d2d3e6247a37d09fe13
SHA256 2a573d94c771cb7c1cad9f262b6806f50b1affe886fbf49309d1a78e0991d686
SHA512 9d527670ac1842da53eee2a11f0b1950fd7e69b0d63dc4f27e537e8c07d909d70f8545e79840bbcdd5b32488f3201599d52c6c8e93487433c3f57b28f1d8ae46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4317f7e9e55d369dd0e077259077167e
SHA1 257ea51e9213fed5a48115704a123c263b430602
SHA256 cf4046eab084e6eea20ff27068a73c880e8341703f21a331f4a91b0681e0c908
SHA512 b995b367d719eaba08e4bf5acdccfe59f79f9ef80e047c446161ca3adff2b8efd27d1876367aeb85ff5767ceb38e41d3dda6542e1f9ea859c0e3374181311405

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b55f50adc89e94ff784966ab26b4b4c
SHA1 c75d9efd6c0efa15f636972893874d44f858dbc8
SHA256 6b315fb4b5795e119518bca8c396c5adf57d3ce18ea80d39f1581445fa78e0f0
SHA512 ec09f67e2e8f2e354c7b7759d7b5849fcabd8d3a22f4145540884987198d5f60033cc56a403e3d82bac749b53009c32574f118fa21486ae482765d5ba752bbd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c92159bb73304d53689c225a9d899984
SHA1 cf60eeea8f8ff1d536eca8cf60d1fd793438a8e2
SHA256 93ac3c55844a957646dc4c76510ab649801015e3a478f55507cb79c0ba424527
SHA512 58d258cd34bfb0aa6907f4fb9d2d2921b5642a8d370a1b28275ae4d6ebc1ef3434c6d532cea1ce9705272957e539b6ac255d8a50066a3657a0a145d27fdcd119

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 76e3d83452353dad75b088423a7bda90
SHA1 365474e9d93f4539cbc861bb49c4b8d77203daf7
SHA256 2b7fe8e138de539ae6e462e4396e5e16ada600dda5ad377fa5ee729dd76753aa
SHA512 6ee1c7b3038cb82a77062fac670828f08b3677a384f862d024918948eccff059e7be244371e290b2b846f3e20b88ef8250787783585e34c74beb73df4a7bb91e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d4b53229a50486db65f7de78eaa1b1b
SHA1 b5ebe6128223d8406e8749df1fb76ed25292f9ee
SHA256 885519efd4db9f45459d1f9613fc562640d8d414a89afbd8c4b06a94d3631d32
SHA512 fb9edb7b955ca78bd5cfb29d061daf279919f643aadd7c906c87ba9eecd99112003f063c9d51846a9ff85fbd402e4f72692fb7fe216900ebadae9b8627f19ef3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a96f225a14b62e4f84b0af67f437d47b
SHA1 a02d51f80b7ccadd867eef221f1fddb43445fcf2
SHA256 e540b3699dc45dcbc81b4a0884af09cd22fd6f19639a93a4e142f27a0adcb3dc
SHA512 6841a24facec3151040d2c52dd1709d0409c7bb2a187dbd344800aba389dfba6d9bed8a8d629186e8d56cfae4219d5c0a1686fd3cad153c397336e7fe9d245b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af24b0f5819db5c0038639b4f0e9084b
SHA1 5a2c63bd04922ba4d4fd6c7c9bbbbcf310ffae87
SHA256 c3d45cbc66ee5e899e4d09ed72c3c7521915ffacb29f052fa88cafc71d3a86cb
SHA512 2b13ec6162e37acb5f45dfaeae2be460948fa9c6777c594cc9cf4ab583865440b34da63d4e05b34b3c3a1d872c4726ffd51f1aa9bfce516354aa6fc7c5f9cfc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b5cb44a7fa71338c8bbba123bd33f14
SHA1 ca99a98fe0fa7f617d940d319f05609c583b3685
SHA256 c82b4a51996ec3c1833e99c9fa8c5083fc46cfbde4a34521d3f8dd7b30be1ade
SHA512 117def4520504329e372c3ed8975c9f3ef40a69330ba37bdd47919601e7d0cf387ca6d33c520cdaa52f10eab27ba10e86badd8a56f93c057695685e2399520e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a106d8505eae260b28a6163fca36607
SHA1 38309ade26a351639b3b892a3b5a4d92432cacf9
SHA256 36b3c702c5235e78065768a28d28271a3941af97ac173281ce31d119228235e5
SHA512 f269b9a2a8da87b311c34b074d868d3a750f7da79a9badb7e937b5e54a6e27849c66cd982472562fa4ee2c4540712bb44842710e5a337ff903faba505c2d68af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f5a48b2bc037dd8880206bd0f4d9821f
SHA1 cc8b497b0345d8f541c6687627dfd3f180369ce4
SHA256 1bd0fe2b9eff1b027ba7189637e01ecf53f4e3ee2aeebb1a14948118e493773f
SHA512 b2e542680c9d1e568e110db9eb87492677db89722c7b9f07a403181c954d49ed1e2b3a44255d93de3ff356f6faea4d53bf59d1a354a4aa679abc2fcd255c1a0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 996334a7d9e3177d462c050ca517ca7a
SHA1 f1ffd28416e9c61fdc7119a93880bfcd453d66ab
SHA256 7baf374904bb62dcb3332b4814678644df6610fc1e36ddd0741aac8774d2dcb1
SHA512 78d61ff3cb19c5e0e3e7a213b4fac06bb98d2c91bd15cf9633d1d506ca9e208fa22e683166fb64ff628df88cc380effc3aeab27e31a8ad358b44bd6dc109d962

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89499ea9346244ba1aee19604338a1cf
SHA1 ef9b1e77fcf57fc3746c96c01632f4330b1a2aef
SHA256 71bfd78be3217231093a4f7155e50784236e0399f49ae2742c1a561c23669748
SHA512 245ce1524c4a29f0577e6f9c34a5dad4cf42594d77058d432c53ca2a34acfe668aff9f3cba5b1a6f1b6d6da3cba97b523aba9c0395008fa8798d456060ceeaac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7dcca3fc5d636d8ec398e202fb0a4190
SHA1 d6f1f7fe8174cbde246b421beb78c34f72b64e88
SHA256 6fff609a8fc250d0881d9964e1b645c838c9c6a113d0c4740ef0461bb801873a
SHA512 690152c287c93d88997f0234c8a092ea7aaf9f9522ce52155a38206cb93f1ea70120bee89e614ac8343631a778110e10d32bf606b950bb8646b8de9ea00af189

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76955ed0117a706721865a3ef62cd1df
SHA1 8d4c9ddfb1c06fedfa200202f7ac67968030f032
SHA256 96d441b717966efabea47a1435be22e804c564a9ea2b6971f1ec92f8fc98cd8a
SHA512 47e2b03b221291dcecdc5c6223cc7c91c215f603a63c317c4a0fb00f576089e97ef70dad8d0278f6cb26d674f0173fb8dedb5c602966a177b10ef63035d91136

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed2e79aac14ed4f1aa8597a561623dee
SHA1 c0ea8f8c7a1d141697eae55028fb8ebceb13b608
SHA256 6c3c6a0e055eaf4fbe2f4a73d0cf5f2a8755126c3caab7235b64f65bbb38b1f8
SHA512 198974dfb427198187cf03b006307032d9982c348ff5d9e91f301b513607a2f6f6e9279ec4ea89d889c20a0fff178ad0fe3a9a09aa290fd03409a312ed815894

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-04 22:00

Reported

2023-10-04 22:02

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{696C5CEF-6301-11EE-A4AD-DA9BDFB2881E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea900000000020000000000106600000001000020000000dda1ffe32faaa58987bfccd14e534b85dbea437578b2cfc0794d9ab1e36ab1d9000000000e8000000002000020000000fa7000423603cd822f261c5bb588d30a6b9ad4f1f2172af8a6c8950c98364cb42000000045022593b52bfd94ce3bbdf7551463bb2b730d12f1ef3f639e4994403ce679ee40000000e477ccedb81395a2f5f8053bf5418cad3a19be8c2b9abda07633697f2c69aff0e52ddb72847c06c7f8d2c3d70e979022a2fdd0b23c721e1b9facf1aa7a0f04f4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f058c33f0ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea9000000000200000000001066000000010000200000002c97c1882537a1d352040c1cff6b10c528bc14d33ca5cad7b7667bd76d5544e4000000000e8000000002000020000000bcb4f1d77174238492df4e3e28da245a5c29d42d06f4e322ce8125f1863dfd0420000000d25e72d56b533a1788263ad2fa4db4e6a4778cdda69e6a9b177c440a3aea72b8400000000b9ef4fcdf7585c9ac65669723af0303dcab6b9c4a1bd3bc19754d51c4515f6f32a7531478906416e1f061e0c502a35d6a634b0dd9da6a6099ab2e9bf0762657 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1043210677" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1063523488" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31061774" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403221797" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1043210677" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2016ac410ef7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\24U7FPCO\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee